FreePBX Server behind XG Firewall

Hello @Jae Lupo,

had a similar experiance with a PBX from a german provider.

What I needed to to was the following:
- Disable SIP Module under CLI
- Create a Host Object in the XG for the PBX
- Collect all Information about Open Ports needed. (Provider dependant)
- Create Service Objects for Ports needed by the PBX
- Create a dedicated Firewall Rule with Enabled NAT Masq for the PBX that does not have IDS/IPS enabled since some Rules drop SIP connections.

LAN, PBX Host-> WAN, (Provider IP) -> Services (Provider Service Ports needed or if not documented well "Any" for testing and logging)

No Webfilter, No IDS / IPS, No SSL Inspection

Best regards
Eli.

Thank you Eli but I still can't get two way audio to work.  It appears the XG firewall is still blocking or dropping packets somehow.  I even opened all ports in and out to the machine and it still doesn't work.  I got attacked right away and shut that down but even during that short time the PBX server could not communicate properly.  Any other ideas?  Thanks.

Hi Jae,

Eli's reply pretty much covers the settings for VoIP traffic.

If the PBX server is still not working, you could try to check if there is any blocking via log viewer by switching to Detailed view and filter with the PBX server IP address.

Besides, it's worth checking how the phones are working with the PBX server, like how the phones send/receive traffic when making and receiving calls. Make sure the firewall rule is configured for the phones network to go to WAN or PBX server, if needed.

The below is a KBA for VoIP tweaks on XG - 

https://community.sophos.com/kb/en-us/127785

If you are still facing the issue, you could create the support ID on the XG firewall and send it to me via PM. So I could jump in and have a look on the firewall.

https://community.sophos.com/kb/en-us/122784

Thanks Captain.  I have already applied the tweaks in the KBA you sent and it didn't change anything.  I opened a support case if you want to take a look. Something is still blocking the PBX.  The trunks register with the SIP provider, the phones are outside the network and register with the PBX but the PBX says there is an issue with the port forwarding to the server and the phones can't dial out or receive calls.  Thanks.

Hello Jae Lupo 

what I forgot to ask is was what type of VoIP is in use with the PBX.

I ask out of the reason that there are two types of SIP deployments:
- SIP Trunk over PBX
- SIP Client were the Phones are able to create there own VoIP connection and the PBX acts as a Accounting service

Example:

SIP Trunk
Phone ----> PBX ----> FW ----> I-Net

SIP Client
Phone <----> PBX ---->FW ----> I-Net
Phone -----> FW ----> I-Net

Other factors is Network Setup:

Normally PBX is in the Server Network 192.168.0.x /24
Phone Network 192.168.100.x /24 
The DHCP Config with Costum Option comes from the PBX or a DHCP Server were a Option can be added!
The reason it the Route from Phone to PBX for downloading the config and route (if needed)

If the setup is similar then there should be Two Rules one for the PBX to WAN with Services Needed and one for Phone to WAN with Services Needed

Best regards
Eli.

Eli,

I am using SIP trunks.  The phones are all external say at a person's home working remotely.  The phones are hitting our gateway (XG Firewall) then forwarded to the internal FreePBX server.  The PBX server then connects to the SIP provider and provides the connection back to the phone.  The FreePBX server is registering with the SIP provider and the phones are registering with the FreePBX server.  The phones can make outbound calls and receive calls but now there is no audio both ways.  I have two rules setup a DNAT and and SNAT.  I know I am close to getting this to work but it is sill not right.

Jae

Hello Jae Lupo 

I think the issue it the NAT between the Phones and PBX. The VoIP UDP Packets get dropped or not answered.

The NAT used in such a case should be a 1:1 NAT - In another Part the address were it gets translated to needs a Firewall Rule in the XG.

Example:

PhoneExteralNet to PBX with Services needed [Optional] + NAT Rule Linked to this FW Rule or applied to ^^

Same thing for the PBX

PBX to WAN with Services needed [Optional] 

Here is a short Explanation (Answered by LuCar Toni) what I mean by it with the NAT -> https://community.sophos.com/products/xg-firewall/f/network-and-routing/116643/example-for-full-nat

Best regards

Eli.

Is the issue only with remote phones, or does it happen with on-premise phones as well?

Good question and unfortunately I don't know because all my users are working from home and I am in the US and they are in the UK. I have also set all their phones to connect to the external IP of the office so they can come and go with their phones as needed as this lock down continues.  For this reason even if the phone was in the office it is still going out and back in to connect.  I think I I have it working now with 3 rules and I will post them here in a little while after I test it further.  Maybe someone can see if the rules can be condensed into one one two but I think I need two full NAT rules for this to work as stated above by Eli.